Privacy Policy

Reply Autopilot · Last updated: 20 July 2026

⚠️ Final legal review recommended before the 20 July 2026 go-live. The EU→US transfer wording and consumer clauses should be checked by a German Datenschutz lawyer, and a signed DPA with each AI provider must be in place.

1. Data Controller (Verantwortlicher)

The controller under the GDPR (DSGVO), the German BDSG and the DDG is:

AI Waverider — Sakhr Al-Absi (Einzelunternehmer)
Hünensteig 12, 12169 Berlin, Germany
Email: support@aiwaverider.com · Phone: +49 159 06455476

We are not legally required to appoint a Data Protection Officer (Datenschutzbeauftragter).

2. Scope

This policy covers the Reply Autopilot application and the data we receive from the mailboxes and providers (Google, Microsoft and others) you authorize.

3. What we process

Account data: name, email, authentication identifiers, plan/billing status.
Connected-mailbox data: the content, headers, metadata, attachments and thread history of emails in mailboxes you connect — needed to classify replies and draft responses on your behalf.
Google / Microsoft user data: access/refresh tokens and the email/calendar data the granted scopes allow (see §4).
Usage & technical data: logs, device/browser info, IP address, feature usage, AI cost metering.
Payment data: processed by Stripe (we do not store card numbers).

4. Google user data & Limited Use

We request the minimum scopes needed: gmail.modify (read inbound mail to classify and draft replies), gmail.send (send approved replies), calendar.events / calendar.readonly (booking), and userinfo.email / userinfo.profile (identify your account).

Reply Autopilot's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Google user data is used only to provide and improve the user-facing features of the Service. We do not use it for advertising, do not sell it, and do not transfer it except as needed to provide the Service, to comply with law, or in a merger/acquisition with notice. No humans read your Google user data except with your consent, where necessary for security, to comply with law, or where aggregated and anonymized. The same principles apply to Microsoft (Mail.ReadWrite, Mail.Send) and other connected providers.

5. AI processing & sub-processors

To generate classifications and replies, the content of your emails is sent to third-party AI providers for processing, depending on your settings:

OpenAI — openai.com, United States (default model provider)
Anthropic — anthropic.com, United States

They process this content as our sub-processors, solely to return the classification/reply; under their current API terms they do not train their models on API-submitted data. Other sub-processors: hosting (Contabo, Germany/EU), Stripe (payments), and the email/calendar APIs you connect (Google, Microsoft, EmailBison, PlusVibe).

International transfer. Our AI sub-processors process data on servers in the United States (the API does not use EU residency by default), so this is a transfer under Chapter V GDPR. It is safeguarded by (i) the EU Commission's Standard Contractual Clauses (2021), Module Two, in each provider's Data Processing Addendum (Art. 46(2)(c) GDPR), and (ii) where certified, the EU-US Data Privacy Framework adequacy decision of 10 July 2023 — Anthropic is a certified participant; OpenAI relies on the SCCs. A Transfer Impact Assessment is performed where required.

6. Purposes & legal bases (Art. 6 GDPR)

Contract (Art. 6(1)(b)): operating the Service — connecting mailboxes, classifying, drafting, sending, booking.
Consent (Art. 6(1)(a)): connecting a mailbox and enabling auto-send; withdrawable anytime by disconnecting.
Legitimate interests (Art. 6(1)(f)): security, abuse prevention, metering, improvement.
Legal obligation (Art. 6(1)(c)): tax/retention duties.

7. Retention

Email data is retained only as long as needed to provide the Service and is deleted within 30 days after you disconnect a mailbox or delete your account, except where longer retention is legally required (e.g. invoices). Tokens are revoked on disconnect.

8. Your rights — and how they vary by region

EEA / UK (GDPR): you have the rights of access, rectification, erasure, restriction, portability, objection, and withdrawal of consent (Art. 15–22 GDPR), and may complain to a supervisory authority — for Berlin, the Berliner Beauftragte für Datenschutz und Informationsfreiheit.

Outside the EEA/UK: the statutory rights above are EU rights. If you use the Service from another country, you have the data-protection and consumer rights granted by your local law, which may differ. For example, California residents have rights under the CCPA/CPRA. We honour applicable local rights; contact support@aiwaverider.com to exercise them.

9. Data deletion & revoking access

Disconnect any mailbox in-app to revoke our access immediately.
Revoke the app at Google Account permissions / your Microsoft account.
Request full account + data deletion via support@aiwaverider.com.

10. Security

Data in transit is encrypted (TLS); credentials and access/refresh tokens are encrypted at rest (AES-256-GCM); access is restricted and changes are audit-logged.

11. International transfers

Transfers to the United States (AI sub-processors, Stripe, hosting where applicable) are safeguarded by the 2021 EU Standard Contractual Clauses in each sub-processor's DPA and, where the provider is EU-US Data Privacy Framework certified, by the Commission's adequacy decision of 10 July 2023. See §5.

12. Changes & contact

We may update this policy; material changes are notified by email. Questions: support@aiwaverider.com.